Latest news about information security threats and incidents
Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack.
You can get evidence of this fact from the news below.
Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.
Australia Investigates Foreign Influence in Universities After Cyber Security Threats
The Australian government has established new guidelines for universities to counter 'unprecedented levels' of foreign influence. The rising alarm has been raised about the effect of China on Australian campuses. This follows a series of controversial computer hacks and donations related to Beijing. More details.
Posted on 16 November 2019 10:15 pm
French government forms cybersecurity pact with major French companies
The French government signed on Thursday a three-year cybersecurity pact with eight of the country’s leading companies, as major world nations step up security arrangements in the wake of recent high-profile hacking incidents. The French government said it had signed the agreement - for which no.... More details.
Posted on 16 November 2019 10:15 pm
Comment on CAH Holdings issues notice after employee email accounts compromised
What follows is a somewhat unsatisfactory notice. It does not indicate when the email accounts were compromised. It does not indicate when the firm first discovered it or how they discovered it. It does not indicate how many people are being notified by them. It does not explain to patients why a holdings firm has their information. More details.
Posted on 16 November 2019 7:01 pm
Reminder: Malware Can Exploit Improper Configurations
Original release date: November 15, 2019 Protect yourself from unwanted—and potentially harmful—files or programs by adhering to vendor-recommended configurations for hardware and software. Doing so in addition to maintaining regular patch maintenance, will help give your systems and networks the best security possible. More details.
Posted on 16 November 2019 6:24 pm
New WhatsApp Bug Let Hackers Execute a Remote Code & Perform DOS Attack by Sending Crafted MP4 File
New Critical vulnerability found in both Android/iOS WhatsApp version Let hackers sending a specially crafted MP4 file to WhatsApp user and trigger the stack-based buffer overflow to perform remote code execution and DoS Attack. Facebook-owned privacy-oriented messenger WhatsApp is one of the.... More details.
Posted on 16 November 2019 2:05 pm
Cyberattacks Target UK Labour Party | Avast - Security Boulevard
Cyberattacks Target UK Labour Party | Avast Cyberattacks Target UK Labour Party | Avast. An attack on the Labour Party’s website Monday succeeded in causing certain services to go offline. According to BBC News , the strike was a Distributed Denial of Service (DDoS) attack, a blitz of internet.... More details.
Posted on 16 November 2019 10:44 am
GitHub makes CodeQL free for research and open source
Sorin Mustaca's IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. , a semantic code analysis engine and query tool for finding security vulnerabilities across a codebase, has.... More details.
Posted on 16 November 2019 3:26 am
Glen Singh on why Kali Linux is an arsenal for any cybersecurity professional [Interview] - Packt Hub
Kali Linux is a popular term for anyone related to computer security. It is the most renowned tool for advanced Penetration Testing , Ethical Hacking and network security assessments. To know more about Kali Linux more closely, we recently had a quick chat with Glen D. More details.
Posted on 16 November 2019 12:50 am
US Govt Recommends Vendor System Configs To Block Malware Attacks
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today reminded users and system administrators to properly configure their systems to defend against malware that can exploit improper configurations. The reminder was published by the cyber-security agency.... More details.
Posted on 16 November 2019 12:40 am
Posted on 15 November 2019 10:58 pm
Roger Stone found guilty on all counts
A jury found longtime Trump associate Roger Stone found guilty on seven counts that include obstruction, giving false statements to a House committee and witness tampering on Friday, following the conclusion of a federal trial on charges related to the Mueller investigation. Context : Stone, 67, was indicted in January. More details.
Posted on 15 November 2019 10:00 pm
Check Point firewall ZoneAlarm suffers data breach incident
specialists, ZoneAlarm, the firewall software produced by security firm Check Point, was the victim of a data breach that compromised the information stored in one of the company’s online forums. After infiltrating the ZoneAlarm forum, threat actors gained illegitimate access to the full names,.... More details.
Posted on 15 November 2019 9:07 pm
Russia and China may not be the top cyberthreats
While Russia and China pose significant threats, especially in the cyber domain, one expert worries that lesser known actors might be a more immediate concern. “The biggest challenge is we focus too much, especially according to the [National Defense Strategy], on great powers. More details.
Posted on 15 November 2019 8:57 pm
DDoS-for-Hire Services operator sentenced to 13 months in prison
Sergiy P. Usatyuk , a man that was operating several DDoS-for-hire services was sentenced to 13 months in prison, and additional three years of supervised release. , aka stressers or booters , allows crooks to launch large scale DDoS attacks by paying a subscription fee. More details.
Posted on 15 November 2019 8:37 pm
U.S. to strictly enforce anti-money laundering rules in cryptocurrencies: FinCEN chief
By Gertrude Chavez-Dreyfuss NEW YORK (Reuters) - The U.S. government will strictly enforce a rule that requires cryptocurrency firms engaged in money service businesses such as digital asset exchanges and wallet service providers to share information about their customers, Kenneth Blanco, director.... More details.
Posted on 15 November 2019 8:05 pm
APT33 Mounts Focused, Highly Targeted Botnet Attacks Against U.S. Victims
The Iran-linked, espionage-focused advanced threat group known as APT33 has been spotted using more than a dozen obfuscated botnets to carry out narrowly targeted attacks against government and academic targets in the Middle East, the U.S. and Asia. Each botnet, linked to its own command-and-control.... More details.
Posted on 15 November 2019 7:10 pm
7 Takeaways: Insider Breach at Twitter
Why ask your government's elite hackers to play ninja against a target's network and steal data when you can achieve the same result by buying off insiders? See Also: Live Webinar | Scaling Security at the Internet Edge with Stateless Technology That's the alleged nation-state assault tactic that came to light last week, when the U. More details.
Posted on 15 November 2019 6:45 pm
Virtual tools, real fires: How holograms and other tech could help outsmart bushfires
By David Tuffley; Nov 15, 2019. Australia continues to experience unprecedented destruction from bushfires . Now is the time to harness our technological tools, and find innovative ways to help alleviate the problem, and also prevent future disaster. has been a vital tool in an ongoing effort to.... More details.
Posted on 15 November 2019 6:12 pm
Better cyber-hygiene can foil tech espionage: Defence experts - Outlook India
Better cyber-hygiene can foil tech espionage: Defence experts. New Delhi, Nov 15 (IANS) The Indian Army''s recent directive to its personnel in critical posts to deactivate their Facebook accounts and not share official information on WhatsApp might only partly address the challenges posed by.... More details.
Posted on 15 November 2019 3:12 pm
Posted on 15 November 2019 2:47 pm
What a pair of Massholes! New England duo cuffed over SIM-swapping cryptocoin charges
Two men from Massachusetts have been arrested and charged with 11 criminal counts stemming from a string of account takeovers and cryptocurrency thefts. 21 year-old Eric Meiggs and 20 year-old Declan Harrington each face charges of wire fraud, conspiracy, computer fraud and abuse, and aggravated.... More details.
Posted on 15 November 2019 2:40 pm
Attack tools and techniques used by major ransomware families
Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report. More details.
Posted on 15 November 2019 2:24 pm
How the Linux kernel balances the risks of public bug disclosure
Last month a serious Linux Wi-Fi flaw ( CVE-2019-17666 ) was uncovered that could have enabled an attacker to take over a Linux device using its Wi-Fi interface. At the time it was disclosed Naked Security decided to wait until a patch was available before writing about it. More details.
Posted on 15 November 2019 2:24 pm
Japan's Line launches public bug bounty programme with HackerOne
Japanese company Line said it's transitioning its entire bug bounty ecosystem to the HackerOne platform. Through the programme, ethical hackers are invited to test Line's core messenger application and web domains for potential vulnerabilities and securely disclose them to Line. More details.
Posted on 15 November 2019 2:08 pm
Data thieves blew cover after maxing out victim’s hard drive
An anonymous cybercriminal (or perhaps a gang) whose over-pilfering from a victim’s filesystem blew the “disk full” whistle on their massive data-stealing operation. The Federal Trade Commission (FTC) has reached a settlement with InfoTrax, a Utah-based company that provides business operations.... More details.
Posted on 15 November 2019 1:34 pm
New group of hackers targets businesses with backdoor malware in financially-motivated attacks
ProofPoint researchers uncovered a new phishing scheme that targets several businesses and organizations in Germany, Italy, and the United States in order to infect their networks with malware. The attacks are orchestrated by a relatively new hacking crew, tracked as TA2101, that appears to be.... More details.
Posted on 15 November 2019 11:21 am
GitHub launches Security Lab to spot vulnerabilities in open-source code
GitHub has officially launched a new Security Lab with an aim to secure open-source software. The objective is to “bring together security researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone,” Joining the.... More details.
Posted on 15 November 2019 10:53 am
RSA Conference 2020 Introduces the RSAC Engagement Zone
New Dedicated Area for Peer-to-Peer Networking and Collaborative Learning Designed to Deepen Connections Among Cybersecurity Community at RSAC RSA Conference, the world’s leading information security conferences and expositions, today announced that RSA Conference 2020 will feature the new RSAC.... More details.
Posted on 15 November 2019 10:28 am
Malware drive-by attack triggered Australia's first cyber emergency
First details of Parliament hack emerge. Cyber security experts took more than a week to eject the state-sponsored attacker from Parliament’s computing network after it was compromised by malware earlier this year, Senate President Scott Ryan has revealed. More details.
Posted on 15 November 2019 8:18 am
Risky Dialing: Trump Call Raises Security Worries
"The use of private cell phones to discuss official diplomatic issues is a monumental security lapse, especially when either of the parties is overseas," says , founder of Rendition Infosec and a former operator with the National Security Agency. "In addition to the immediate threat, there's likely.... More details.
Posted on 15 November 2019 8:05 am
Evaluating cyber risk during the holiday season
Fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they’re prepared to hold their financial institution responsible for the damages. This is according to a new study released by Terbium Labs, which found that 68 percent of shoppers would.... More details.
Posted on 15 November 2019 6:09 am
Two Charged Over Crypto Theft via SIM Swapping, Death Threats
By GIXnews Two men from Massachusetts were arrested and charged by the Boston U.S. District Court with stealing high-value social media accounts and hundreds of thousands worth of cryptocurrency from at least ten victims by using SIM swapping, death threats, and hacking. More details.
Posted on 15 November 2019 3:09 am
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Overview. Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern , the.... More details.
Posted on 15 November 2019 1:42 am
Australia's parliamentary IT system hacked earlier this year - report
SYDNEY: The computer network of Australia's parliament was hacked earlier this year and data was stolen from the computers of several elected officials, the Australian Broadcasting Corp reported. Security agencies discovered the attack on Jan. 31 this year and monitored it for a week before shutting.... More details.
Posted on 14 November 2019 11:22 pm
Web payment card skimmers add anti-forensics capabilities
Posted on 14 November 2019 10:39 pm
NCSC-NZ Releases Annual Cyber Threat Report
Sorin Mustaca's IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. Original release date: November 14, 2019. The New Zealand National Cyber Security Centre (NCSC-NZ) has released.... More details.
Posted on 14 November 2019 9:15 pm
Carding Bots Testing Payment Info Ahead of Big Shopping Events
As the main events of this year's holiday shopping season are closing in, cybercriminals are also getting ready for the plunder by validating their stolen card details with low-value purchases on retailer's websites. Two new such carding bots have been spotted exploiting top e-commerce platforms and.... More details.
Posted on 14 November 2019 9:06 pm
Axios Codebook: The myth of sophistication — Fortune 500 get hit — New DNC timeline
On Tuesday, the U.K.'s Labour Party became the latest in a decade-long line of victims to claim they were targeted by a "sophisticated" cyberattack that wasn't, actually, very sophisticated. The big picture: It's the latest lexical stretch for an adjective that's widely used in reports of.... More details.
Posted on 14 November 2019 8:34 pm
Alleged SIM-swappers charged in $550,000 cryptocurrency scam
Written by Nov 14, 2019 | CYBERSCOOP. Shannon Vavra The U.S. Department of Justice charged two men on Wednesday in connection with a two-year-old scheme in which they allegedly stole victims’ phone numbers to steal hundreds of thousands of dollars worth of cryptocurrency. More details.
Posted on 14 November 2019 8:17 pm
Over Half of Fortune 500 Exposed To Remote Access Hacking
Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet , something many experts warn should never happen, according to new research by the security firm Expanse and 451 research. More details.
Posted on 14 November 2019 7:59 pm
Boom in Lookalike Retail Domains
New research into domains registered with a trusted TLS certificate has found lookalike domains outnumber legitimate retails sites by more than 2:1. In a conducted by researchers at Venafi , suspicious domains targeting 20 major retailers in the US, UK, France, Germany, and Australia were analyzed. More details.
Posted on 14 November 2019 7:40 pm
Beating The Crypto-Criminals
Instead of proving a flash in the pan, enthusiasm for cryptocurrency has grown - and with it the associated fraud. Cyber criminals were quick to develop malware with the aim of stealing cryptocurrencies, with attackers finding ways to exploit the anonymity offered. More details.
Posted on 14 November 2019 6:42 pm
How Does Your Cyber Resilience Measure Up?
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726. In this Tech Digest, Dark Reading shares the experiences of some top.... More details.
Posted on 14 November 2019 4:28 pm
Check Point Software Technologies Revolutionizes IoT Cyber Security - Yahoo Finance
Check Point Software Technologies Revolutionizes IoT Cyber Security Acquired ground-breaking on-device IoT security technology to protect against 5th and 6th generation cyber attacks. SAN CARLOS, Calif., Nov. 14, 2019 (GLOBE NEWSWIRE) -- ), a leading provider of cyber security solutions globally,.... More details.
Posted on 14 November 2019 3:52 pm
#cyberfraud | #cybercriminals | Travelers beware of ‘juice jacking’ at public charging stations and how to safely charge devices on the go
As people prepare to travel during the busy holiday season it could be more important than ever to double check that devices are fully charged or at least ensure you have a power adapter base and chord before leaving the house. The Los Angeles County district attorney’s office issued a new warning.... More details.
Posted on 14 November 2019 3:28 pm
Only after running out of hard disk space did firm realise hacker had stolen one million users’ details
Yet another company has been found lacking when it comes to securing its consumers’ data. Utah-based InfoTrax Systems provides back-end services to multi-level marketing companies (MLMs) such as dōTERRA, ZanGo, and LifeVantage, providing website portals where individuals can register as a.... More details.
Posted on 14 November 2019 3:12 pm
Hackers can easily steal passport photos from vulnerable UK Brexit app, report claims
This is according to a report by Norwegian cybersecurity company Promon, which specializes in securing apps from hacking attacks. According to the report, the Brexit app (as it's commonly called) "lacks functionality that prevents malware from reading and stealing sensitive information provided by users, including passport details and photo IDs. More details.
Posted on 14 November 2019 3:02 pm
Comment on TX: City of San Angelo investigating Click2Gov breach
The City of San Angelo is investigating a security breach with the city’s online water billing system after fears customer’s credit card information may have been stolen. “Some water customers may have noticed irregularities with their credit and debit card accounts after recently paying their.... More details.
Posted on 14 November 2019 2:05 pm
Strange AnteFrigus Ransomware Only Targets Specific Drives
A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives. More details.
Posted on 14 November 2019 1:57 pm
The Dark Web's Automobile Hacking Forums
There are robust and detailed discussions in cybercriminal forums on how to attack modern vehicles, seeking clandestine methods to steal cars, says Etan Maor of IntSights. IntSights recently published a report on vehicle cybersecurity, exploring dark web forums where attacks are discussed. More details.
Posted on 14 November 2019 1:52 pm
Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices
Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities. According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal.... More details.
Posted on 14 November 2019 12:32 pm
Facebook fixes iPhone camera bug
Facebook was quick to reassure iPhone users this week that it wasn’t secretly spying on them via its app, after someone found the software keeping the phone’s rear camera active in the background. Facebook user Joshua Maddux discovered the problem on Saturday 9 November when looking at another.... More details.
Posted on 14 November 2019 12:30 pm
AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
Original release date: October 17, 2019 | Last revised: October 18, 2019. Summary. Note : This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft’s article, Extending free Windows 7 security updates to voting systems , for more information. On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.  After this date, these products will no longer receive free technical support, or software and security updates. Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2. Technical Details. All software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance.  For more information on end of support for Microsoft products see the Microsoft End of Support FAQ . Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets. Mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to: Upgrade to a newer operating system. Identify affected devices to determine breadth of the problem and assess risk of not upgrading... More details.
Posted on 17 October 2019 4:36 pm
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)
This updated alert is a follow-up to the original alert titled ICS-ALERT-19-225-01 Mitsubishi Electric smartRTU and INEA ME-RTU that was published August 13, 2019, on the ICS webpage on us-cert.gov. CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report. More details.
Posted on 10 September 2019 2:30 pm
CAN Bus Network Implementation in Avionics
CISA is aware of a public report of insecure implementation of CAN bus networks affecting aircraft. According to this report, the CAN bus networks are exploitable when an attacker has unsupervised physical access to the aircraft. CISA is issuing this alert to provide early notice of the report. More details.
Posted on 30 July 2019 1:00 pm
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions: Windows 2000 Windows Vista Windows XP Windows 7 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 An attacker can exploit this vulnerability to take control of an affected system. Technical Details. BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.  After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful. BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.  CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep. Mitigations. CISA encourages users and administrators review the Microsoft Security Advisory  and the Microsoft Customer Guidance for CVE-2019-0708  and apply the appropriate mitigation measures as soon as possible: Install available patches... More details.
Posted on 17 June 2019 1:37 pm
DICOM Standard in Medical Devices
NCCIC is aware of a public report of a vulnerability in the DICOM (Digital Imaging and Communications in Medicine) standard with proof-of-concept (PoC) exploit code. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. According to this report, the vulnerability is exploitable by embedding executable code into the 128 byte preamble. This report was released without coordination with NCCIC or any known vendor. More details.
Posted on 11 June 2019 4:15 pm
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 2, 2019 | Last revised: May 3, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [ 1 ] Technical Details. A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet. SAP Gateway ACL The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[ 2 ] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition. SAP Router secinfo The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution. According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service. SAP Message Server SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials... More details.
Posted on 2 May 2019 10:54 pm
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019. Summary. The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks. See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below: IOCs (.csv) IOCs (.stix) Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses: 184.108.40.206 220.127.116.11 18.104.22.168 Technical Details. Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data... More details.
Posted on 24 January 2019 8:01 pm
AA18-337A: SamSam Ransomware
Original release date: December 3, 2018. Summary. The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation. The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection... More details.
Posted on 3 December 2018 4:18 pm
TA18-331A: 3ve – Major Online Ad Fraud Operation
Original release date: November 27, 2018. Systems Affected. Microsoft Windows Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window. Description. Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. Boaxxe/Miuref Malware Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs. Kovter Malware Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites... More details.
Posted on 27 November 2018 5:09 pm
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Original release date: October 11, 2018. Summary. This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.      In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses... More details.
Posted on 11 October 2018 3:19 pm
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description. MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e... More details.
Posted on 3 October 2018 11:47 am
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description. APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact. APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution. Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response... More details.
Posted on 3 October 2018 11:00 am
TA18-275A: HIDDEN COBRA – FASTCash Campaign
Original release date: October 2, 2018 | Last revised: December 21, 2018. Systems Affected. Retail Payment Systems Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description. Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia... More details.
Posted on 2 October 2018 3:45 pm
Meltdown and Spectre Vulnerabilities (Update J)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update I) that was published September 11, 2018, on the NCCIC/ICS-CERT website. More details.
Posted on 11 January 2018 5:51 pm
NCCIC is aware of a public report of an improper authentication vulnerability affecting WAGO PFC200, a Programmable Logic Controller (PLC) device. According to this report, the vulnerability is exploitable by sending a TCP payload on the bound port. This report was released after attempted coordination with WAGO. NCCIC has notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. NCCIC is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. More details.
Posted on 7 December 2017 9:11 pm
Eaton ELCSoft Vulnerabilities
NCCIC/ICS-CERT is aware of a public report of buffer overflow vulnerabilities affecting Eaton ELCSoft, a PLC programming software for Eaton Logic Control (ELC) controllers. According to the public report, which was coordinated with ICS-CERT prior to its public release, researcher Ariele Caltabiano (kimiya) working with Trend Micro's Zero Day Initiative, identified that an attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process. ICS-CERT has notified the affected vendor, who has reported that they are planning to address the vulnerabilities. No timeline has been provided. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks. More details.
Posted on 4 August 2017 7:11 pm
CAN Bus Standard Vulnerability
NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack. More details.
Posted on 28 July 2017 7:34 pm
CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices. More details.
Posted on 25 July 2017 4:45 pm
Petya Malware Variant (Update C)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01B Petya Malware Variant that was published July 5, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware. More details.
Posted on 30 June 2017 9:09 pm
Indicators Associated With WannaCry Ransomware (Update I)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site. More details.
Posted on 15 May 2017 11:16 pm